A significant incident in the crypto world has come to light, revealing the vulnerability of unsuspecting users to sophisticated phishing schemes. On September 18, a crypto whale suffered a staggering loss of over $6 million in staked Ethereum (stETH) and Aave-wrapped Bitcoin (aEthWBTC). According to blockchain security firm Scam Sniffer, the incident was a result of the victim unknowingly approving malicious signatures.
The attackers executed a well-crafted scheme, disguising their actions as a routine wallet confirmation process through what is known as “Permit” signatures. This manipulation tricked the victim into approving fund transfers without raising any red flags. Yu Xian, the founder of the blockchain security company SlowMist, commented on the matter, explaining that the victim did not perceive any threat due to the absence of gas fees associated with the transaction. He emphasized the ease of the attack, stating, “From the victim’s perspective, he just clicked a few times to confirm the wallet’s pop-up signature requests, didn’t spend a single penny of gas, and $6.28 million was gone.”
Permit approvals were originally intended to enhance user experience by simplifying token transfers. Instead of conducting on-chain approvals that incur fees, users can sign off-chain messages that authorize spending. However, this efficiency has inadvertently opened a new avenue for malicious actors. Once a user grants such a permit, attackers can exploit the combination of two functions—Permit and TransferFrom—to siphon assets directly from the user’s wallet. Because the authorization is executed off-chain, wallet dashboards remain unaffected until the transaction is finalized on-chain, by which point the tokens have already been rerouted to the attacker’s wallet.
The recent incident underscores a growing trend in the realm of phishing, with Scam Sniffer reporting that in August alone, attackers accumulated $12.17 million from over 15,200 victims. This marked a significant 72% increase in losses compared to July. Notably, the losses were concentrated among a few large accounts, with three accounts accounting for nearly half of the total damages. One particularly striking case involved a wallet that lost $3.08 million in a single exploit.
The surge in phishing losses has been attributed to the rise of EIP-7702 batch-signature scams and direct transfers to malicious contracts. In light of this alarming trend, security experts are urging cryptocurrency users to exercise extreme caution when interacting with wallet requests. It is essential to be wary of any demands for unlimited permissions to wallets, as these can pave the way for significant financial losses.
The incident serves as a stark reminder of the ever-present risks in the digital asset landscape, highlighting the need for heightened security measures and user awareness to combat increasingly sophisticated phishing attacks.
